![White SIGAML Logo](/wp-content/uploads/2026/05/SIGAML2-logo.svg""){kind=logo}
Unsupervised Machine Learning for
Process-Level Anomaly Detection
Multi-Level OT Cybersecurity
REQUEST SOLUTION DEMO
Machine Learning for Process-Level
Anomaly Detection
SigaML2 applies Unsupervised Machine Learning to detect suspicious process-level behavior across all levels of the Purdue Model (0-4). The system learns normal operating conditions directly from process data and establishes behavioral baselines for individual variables and their relationships.
By continuously monitoring deviations from these learned patterns, SigaML2 identifies abnormal behavior that may indicate operational issues or potential cyber incidents.
SigaML2 Machine Learning Architecture
A baseline of normal operating behavior is established by analyzing individual process variables over time. These univariate models learn the expected range of fluctuations for each signal under typical operating conditions.
Once defined, the baseline serves as a reference for continuous monitoring, and deviations outside the learned range are identified as anomalous behavior.
Relationships between multiple process variables are analyzed to understand how inputs and outputs interact within the system. The Trees Correlation Model builds and continuously monitors correlation patterns across related signals.
Shifts in these expected correlations may indicate abnormal process behavior that cannot be detected when variables are examined individually.
Historical process data is used to forecast expected future behavior of individual variables and system states. Real-time operating data is continuously compared against these predicted patterns.
Divergence between predicted and actual behavior provides early indication of abnormal conditions that may evolve into operational issues or cyber incidents within the monitored process.
Unsupervised Machine
Learning (ML)
Unsupervised ML identifies patterns and anomalies on its own, without needing explicit guidance. This makes it particularly powerful in environments where new and unknown threats can emerge like “Zero Day” attacks.
These graphs represent the initial baseline established by the Univariate Model. The blue bars indicate the range of normal fluctuations in this variable over time. The red lines represent the boundaries of the normal range. Any data points falling outside these boundaries in future monitoring could signify an anomaly.
Anomaly Detection
(Abnormal Behavior)
After the baseline is set, the models continuously monitor real-time data, comparing it to the baseline to detect any deviations that could signify an anomaly.
These graphs show a significant deviation from the established baseline. The blue points outside the normal range, marked by the red lines, indicate an anomaly. This behavior could be indicative of a potential issue that requires further investigation.
Predictive Modelling
In the image above, there are two lines: one representing the predicted
behavior and the other showing the actual behavior.
Any divergence between these lines indicates a deviation that the model
has flagged as a potential concern.
Machine Learning for OT Environments
- Analyzes observed data patterns directly, eliminating dependence on predefined system models in dynamic or evolving operational environments.
- Algorithm detects anomalies using real-time data patterns alone, remaining effective even when manipulated data mimics expected system behavior.
- Analyzes relationships across multiple variables simultaneously, enabling detection of correlated anomalies that simpler or rule-based methods may overlook.
- Algorithm learns historical data patterns to identify subtle deviations early, including gradual shifts or correlated changes affecting system behavior.
Go Deeper
Learn how SigaML2 applies unsupervised machine learning to detect anomalous process behavior across all Purdue Model levels.
Frequently Asked Questions
SIGA uses an Unsupervised Machine Learning approach that analyzes actual process-level data rather than relying on predefined engineering models. Instead of comparing behavior to expected theoretical outputs, it learns the real operational baseline of each specific environment. This allows the system to remain effective even when documentation is incomplete, outdated, or inaccurate. Because detection is based on live data patterns, SIGA adapts naturally to infrastructure changes and evolving operational conditions.
Traditional tools often focus on single variables or predefined thresholds, which limits their ability to detect complex or coordinated events. SIGA performs multivariate and correlation analysis, identifying anomalies that emerge across multiple interdependent variables. It can detect subtle deviations, gradual parameter shifts, and abnormal changes in variable relationships. This enables early detection of operational issues and sophisticated cyber threats that may appear normal when viewed in isolation.
SIGA typically undergoes a 3–6 week learning period to establish a precise operational baseline. During this phase, the algorithms analyze historical and real-time data to understand the unique characteristics of the monitored process. The system fine-tunes its detection parameters to minimize false positives while maintaining high sensitivity to real anomalies. Once the baseline is established, monitoring continues dynamically, allowing the model to adapt to operational changes over time.
Yes. Because SIGA does not rely on static system models or predefined rules, it is inherently resilient to model-based manipulation attempts. Even if attackers inject data that appears consistent with expected system behavior, SIGA evaluates underlying data patterns and correlations in real time. If relationships between variables deviate from learned norms, the system flags the anomaly. This enables detection of advanced attacks designed to evade traditional rule-based or model-dependent defenses.